In our previous article, we introduced the Notifiable Data Breach (NDB) Scheme which prescribes a procedure with which agencies and organisations (including small businesses) must comply in the event of a data breach.
The NDB scheme comes into effect on 22 February 2018. Thereafter, the Scheme will only apply in the circumstances where an eligible data breach has occurred. Accordingly, before the commencement date of 22 February arrives, it is highly recommended that you prepare your business’s cyber-security system so that you can identify and address future data breaches in line with the NDB Scheme. Indeed, having a strong cyber-security is also proactive way to avoid data breaches in the first place.
But where do I start? Below is a summary of seven steps and strategies (recommended by the Office of the Australian Information Commissioner (OAIC)) to prepare and boost your cyber-security system of your business. In the meantime, it may also be wise to read OAIC’s resources as well as consult a privacy lawyer for professional advice on the NDB Scheme.
Governance, Culture and Training
Insufficient interest or awareness of cyber-security among staff may lead to threats of data breaches being ignored and not properly attended to.
Therefore, it is important to foster a privacy and security aware culture among your staff through appropriate training, resourcing and management focus, such as:
- Compulsory induction training sessions on cyber-security for new staff.
- Regular cyber-security training sessions for regular staff.
- Appointing a body or officer(s) who oversees, enforces and trains staff on the firm’s cyber-security policy.
Internal Practices, Procedures and Systems
Whereas the previous step focused on the culture and awareness of cyber-security (‘soft’ strategy), this current step is about enforcing rules and policy (‘hard’ strategy’). In general, your cyber-security policy should cover or require:
- Mandatory procedure (mirroring the NDB Scheme) on how to identify and report data breaches.
- Procedures for oversight, accountability and lines of authority for decisions relating to personal information security.
- Procedures for the storage of sensitive information at work and at home.
- Minimum standards and rules relating to use of end-user mobile devices and ‘Bring Your Own Device’ (BYOD).
According to the APP code, the internal practices and procedures of your business must be documented, regularly reviewed and updated.
This refers to measures which protect both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure. ICT security covers:
- Software security (including your website and applications)
- Network security (including firewalls, detection system, blocking unauthorised downloads, Wifi security)
- Whitelisting and Blacklisting (i.e. controlling the content, applications or entities that are allowed to run on or access a device or network)
- Testing (in order to discover any security weakness or configuration reviews)
- Backing up (i.e. physical hard copies or cloud-based storage back-up)
- Email security
This involves monitoring controls that protect your firm’s data from unauthorised access by hackers. Measures include:
- Truster insider risk (i.e. limiting disclosure of personal information to those staff necessary to enable your business to carry out its functions and activities)
- Identity management and authentication (i.e. to distinguish between authorised and unauthorised accessors)
- Passwords and passphrases (i.e. minimum length and character requirements, regular password updates, shared or unique passwords for staff)
This covers steps which prevent unauthorised physical access to both your soft and hard copies of your business’s data. Measures could include:
- Alarm systems (i.e. to control entry to workplace)
- Location and lock security of file storage rooms
- Camera systems (i.e. to detect unauthorised accessors)
Third Party Providers
If you use cloud service providers or other third parties to store your data, it is important that you understand their information handling practices (including terms and conditions) so as to ascertain any risks and protect yourself accordingly.
Destruction and Self-Identification
Where an entity holds personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information.
Therefore, you should consider establishing a procedure for the destruction of electronic (e.g. disk formatting) and physical data (e.g. shredding or burning). Whatever destruction method you use, the APP Code requires for the destroyed data to become ‘beyond use’ and ‘irretrievable’.
In the light of the NDB Scheme’s forthcoming entry, it is important that you establish or improve your cyber-security so that you can identify and respond effectively to future data breaches in line with the NDB Scheme. Again, it is highly recommended that you consult a privacy lawyer to help you with every step of the way.
Need to find a privacy lawyer? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents, obtaining a fixed-fee quote from our lawyer marketplace or any other legal needs.